summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Make Malloc aware of inter-procedural execution + basicAnna Zaks2012-02-201-2/+7
| | | | | | tests. llvm-svn: 150993
* [analyzer] Fix another false positive in the Malloc Checker, by makingAnna Zaks2012-02-171-0/+2
| | | | | | | | | | | | it aware of CString APIs that return the input parameter. Malloc Checker needs to know how the 'strcpy' function is evaluated. Introduce the dependency on CStringChecker for that. CStringChecker knows all about these APIs. Addresses radar://10864450 llvm-svn: 150846
* [analyzer] Malloc Checker: Clean up bug naming:Anna Zaks2012-02-161-15/+13
| | | | | | | - Rename the category "Logic Error" -> "Memory Error". - Shorten all the messages. llvm-svn: 150733
* [analyzer] Malloc Checker: Make the diagnostic visitor handle the caseAnna Zaks2012-02-161-22/+74
| | | | | | of failing realloc. + Minor cleanups. llvm-svn: 150732
* [analyzer] Malloc Checker: Give up when a pointer escapes into a struct.Anna Zaks2012-02-161-0/+6
| | | | | | | | We are not properly handling the memory regions that escape into struct fields, which led to a bunch of false positives. Be conservative here and give up when a pointer escapes into a struct. llvm-svn: 150658
* [analyzer] Malloc checker: make a bit safer.Anna Zaks2012-02-151-2/+6
| | | | llvm-svn: 150556
* [analyzer] Malloc Checker: add support for reallocf, which always freesAnna Zaks2012-02-151-22/+44
| | | | | | the passed in pointer on failure. llvm-svn: 150533
* [analyzer] Malloc Checker: add support for valloc + minor codeAnna Zaks2012-02-151-12/+19
| | | | | | hardening. llvm-svn: 150532
* [analyzer] Make Malloc Checker optimistic in presence of inlining.Anna Zaks2012-02-141-53/+100
| | | | | | | | | | | | (In response of Ted's review of r150112.) This moves the logic which checked if a symbol escapes through a parameter to invalidateRegionCallback (instead of post CallExpr visit.) To accommodate the change, added a CallOrObjCMessage parameter to checkRegionChanges callback. llvm-svn: 150513
* [analyzer] Malloc Checker: realloc: add dependency between the symbolsAnna Zaks2012-02-141-9/+6
| | | | | | | | | | | | | in realloc map. If there is no dependency, the reallocated ptr will get garbage collected before we know that realloc failed, which would lead us to missing a memory leak warning. Also added new test cases, which we can handle now. Plus minor cleanups. llvm-svn: 150446
* [analyzer] Malloc Checker: realloc: correct the way we are handing theAnna Zaks2012-02-131-8/+9
| | | | | | case when size is 0. llvm-svn: 150412
* [analyzer] Malloc checker: rework realloc handling:Anna Zaks2012-02-131-34/+80
| | | | | | | | | | | | | | | | | | | 1) Support the case when realloc fails to reduce False Positives. (We essentially need to restore the state of the pointer being reallocated.) 2) Realloc behaves differently under special conditions (from pointer is null, size is 0). When detecting these cases, we should consider under-constrained states (size might or might not be 0). The old version handled this in a very hacky way. The code did not differentiate between definite and possible (no consideration for under-constrained states). Further, after processing each special case, the realloc processing function did not return but chained to the next special case processing. So you could end up in an execution in which you first see the states in which size is 0 and realloc ~ free(), followed by the states corresponding to size is not 0 followed by the evaluation of the regular realloc behavior. llvm-svn: 150402
* [analyzer] Malloc Checker: reduce false negatives rate by assuming thatAnna Zaks2012-02-111-6/+28
| | | | | | | a pointer cannot escape through calls to system functions. Also, stop after reporting the first use-after-free. llvm-svn: 150315
* [analyzer] Malloc Checker: Report a leak when we are returning freedAnna Zaks2012-02-111-0/+6
| | | | | | | | | memory. (As per one test case, the existing checker thought that this could cause a lot of false positives - not sure if that's valid, to be verified.) llvm-svn: 150313
* [analyzer] Malloc checker: Leak bugs should be suppressed by sinks.Anna Zaks2012-02-111-18/+28
| | | | | | | Resolves a common false positive, where we were reporting a leak inside asserts llvm-svn: 150312
* [analyzer] MallocChecker: refactor/improve the symbol escape logic.Anna Zaks2012-02-111-71/+103
| | | | | | We use the same logic here as the RetainRelease checker. llvm-svn: 150311
* [analyzer] MallocChecker Cleanup - harden against crashes, fix an errorAnna Zaks2012-02-101-12/+23
| | | | | | (use of return instead of continue), wording. llvm-svn: 150215
* Remove unused fun.Benjamin Kramer2012-02-091-1/+0
| | | | llvm-svn: 150172
* [analyzer] MallocChecker: address a diagnostic "fixme".Anna Zaks2012-02-091-11/+11
| | | | llvm-svn: 150158
* [analyzer] Add custom path diagnostic to the Malloc Checker.Anna Zaks2012-02-091-1/+77
| | | | | | | Very simple so far - we just highlight every allocation and release site. llvm-svn: 150156
* [analyzer] MallocChecker cleanup, more tests.Anna Zaks2012-02-091-1/+0
| | | | llvm-svn: 150155
* [analyzer] MallocChecker: implement pessimistic version of the checker,Anna Zaks2012-02-081-29/+62
| | | | | | | | | | | | which allows values to escape through unknown calls. Assumes all calls but the malloc family are unknown. Also, catch a use-after-free when a pointer is passed to a function after a call to free (previously, you had to explicitly dereference the pointer value). llvm-svn: 150112
* [analyzer] Split the MallocChecker into two versions - pessimistic andAnna Zaks2012-02-081-2/+16
| | | | | | | | | | | | optimistic. TODO: actually implement the pessimistic version of the checker. Ex: it needs to assume that any function that takes a pointer might free it. The optimistic version relies on annotations to tell us which functions can free the pointer. llvm-svn: 150111
* [analyzer] MallocChecker: convert from using evalCall toAnna Zaks2012-02-081-36/+33
| | | | | | | | | post visit of CallExpr. In general, we should avoid using evalCall as it leads to interference with other checkers. llvm-svn: 150086
* Basic: import SmallString<> into clang namespaceDylan Noblesmith2012-02-051-1/+1
| | | | | | | (I was going to fix the TODO about DenseMap too, but that would break self-host right now. See PR11922.) llvm-svn: 149799
* Basic: import OwningPtr<> into clang namespaceDylan Noblesmith2012-02-051-5/+5
| | | | llvm-svn: 149798
* Move a method from IdentifierTable.h out of line and remove the SmallString ↵Benjamin Kramer2012-02-041-0/+1
| | | | | | | | include. Fix all the transitive include users. llvm-svn: 149783
* Move various diagnostic operator<< overloads out of line and remove includes ↵Benjamin Kramer2012-02-041-0/+1
| | | | | | | | | of Diagnostic.h. Fix all the files that depended on transitive includes of Diagnostic.h. With this patch in place changing a diagnostic no longer requires a full rebuild of the StaticAnalyzer. llvm-svn: 149781
* Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.Ted Kremenek2012-01-261-33/+33
| | | | | | | | At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
* Remove unnecessary default cases in switches over enums.David Blaikie2012-01-171-2/+0
| | | | | | This allows -Wswitch-enum to find switches that need updating when these enums are modified. llvm-svn: 148281
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-061-10/+14
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] Be less pessimistic about invalidation of global variablesAnna Zaks2012-01-041-8/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
* Fix 80 col violations.Ted Kremenek2012-01-041-13/+27
| | | | llvm-svn: 147566
* [analyzer] Refactor checkers to use helper function for getting callee Decl ↵Anna Zaks2011-12-011-5/+1
| | | | | | | | and name. We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext. llvm-svn: 145576
* [analyzer] Rename generateNode -> addTransition in CheckerContextAnna Zaks2011-10-261-15/+15
| | | | | | Also document addTransition methods. llvm-svn: 143059
* [analyzer] Simplify CheckerContextAnna Zaks2011-10-251-12/+12
| | | | | | | | | Remove dead members/parameters: ProgramState, respondsToCallback, autoTransition. Remove addTransition method since it's the same as generateNode. Maybe we should rename generateNode to genTransition (since a transition is always automatically generated)? llvm-svn: 142946
* [analyze] Convert EndOfPath callback to use CheckerContextAnna Zaks2011-10-251-6/+5
| | | | | | | | Get rid of the EndOfPathBuilder completely. Use the generic NodeBuilder to generate nodes. Enqueue the end of path frontier explicitly. llvm-svn: 142943
* Change operator<< for raw_ostream and NamedDecl to take a reference instead ↵Benjamin Kramer2011-10-141-1/+1
| | | | | | | | of a pointer. Passing a pointer was a bad idea as it collides with the overload for void*. llvm-svn: 141971
* [analyzer] Remove the dependency on CheckerContext::getStmt() as well as the ↵Anna Zaks2011-10-061-5/+9
| | | | | | method itself. llvm-svn: 141262
* [analyzer] Removing references to CheckerContext::getNodeBuilder(): checkers ↵Anna Zaks2011-10-041-1/+1
| | | | | | can obtain block count directly from the Context. llvm-svn: 141112
* If size was equal to 0, either NULL or a pointer suitable to be passed to Zhongxing Xu2011-09-011-5/+2
| | | | | | | | free() is returned by realloc(). Most code expect NULL. And we only need to transfer one final ProgramState. llvm-svn: 138937
* Remove EnhancedBugReport and RangedBugReport - pull all the extra ↵Anna Zaks2011-08-171-1/+1
| | | | | | functionality they provided into their parent BugReport. The only functional changes are: made getRanges() non const - it adds default range to Ranges if none are supplied, made getStmt() private, which was another FIXME. llvm-svn: 137894
* Rename GRState to ProgramState, and cleanup some code formatting along the way.Ted Kremenek2011-08-151-38/+38
| | | | llvm-svn: 137665
* Cleanup various declarations of 'Stmt*' to be 'Stmt *', etc. in libAnalyzer ↵Ted Kremenek2011-08-121-4/+4
| | | | | | and libStaticAnalyzer[*]. It was highly inconsistent, and very ugly to look at. llvm-svn: 137537
* [analyzer] fix bug in malloc checker where the tracked symbol would not ↵Ted Kremenek2011-07-281-11/+18
| | | | | | properly be removed from the state. llvm-svn: 136418
* remove unneeded llvm:: namespace qualifiers on some core types now that ↵Chris Lattner2011-07-231-4/+4
| | | | | | | | LLVM.h imports them into the clang namespace. llvm-svn: 135852
* More accurately model realloc() when the size argument is 0. realloc() with ↵Lenny Maiorani2011-04-271-11/+27
| | | | | | | | a size of 0 is equivalent to free(). The memory region should be marked as free and not used again. Unit tests f2_realloc_0(), f6_realloc(), and f7_realloc() contributed by Marshall Clow <mclow.lists@gmail.com>. Thanks! llvm-svn: 130303
* Remove a redundant method. We have a const version.Zhongxing Xu2011-04-021-0/+1
| | | | llvm-svn: 128762
* [analyzer] Rename CheckerV2 -> Checker.Argyrios Kyrtzidis2011-03-011-2/+2
| | | | llvm-svn: 126726
* [analyzer] Migrate MallocChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-79/+69
| | | | llvm-svn: 126606
OpenPOWER on IntegriCloud